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Abstract. It has been recognized that a framework based on proof- 
carrying code (also called semantic-based software certification in its 
community) could be used as a candidate software certification process 
for the avionics industry. To meet this goal, tools in the “trust base” of a 
proof-carrying code system must be qualified by regulatory authorities. 
A family of semantic-based software certification approaches is described, 
each different in expressive power, level of automation and trust base. 
Of particular interest is the so-called abstraction-carrying code, which 
can certify temporal properties. When a pure abstraction-carrying code 
method is used in the context of industrial software certification, the 
fact that the trust base includes a model checker would incur a high 
qualification cost. This position paper proposes a hybrid of abstraction- 
based and proof-based certification methods so that the model checker 
used by a client can be significantly simplified, thereby leading to lower 
cost in tool qualification. 


1 Introduction 

Safety critical programs, such as those controlling an airplane, a nuclear power 
plant, or a medical system, are subject to the highest level of verification and 
validation (V & V) effort, which is often outlined by administrative authorities. 
For example, to deploy an autopilot program onboard an aircraft, the vendor 
must supply evidence to a Federal Aviation Administration (FAA) representative 
that shows compliance to FAA’s guidelines [11]. The certification process used 
in the aviation industry currently relies heavily on peer review and testing. 

Many properties of a software product, such as correctness, or general as 
well as domain-specific safety, may be proven via deduction, synthesis, or other 
techniques [10, 1,9,5]. If the vendor proves the property and presents the proof 
to the FAA representative, the representative may check the proof and conclude 
that the system is indeed safe or correct relative to a specification. Such a scheme 
is known as proof-carrying code. In a general setting, the vendor may not have 
to provide a proof, but some intermediate, semantic-based objects (collectively 
called a certificate) that help to establish the proof. The generalized category of 
approaches is known as semantic-based software certification. The soundness of 
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such a framework, however, is based on the assumption that programs consti- 
tuting the “trust base” are correctly implemented. 

Semantic based software certification was originally designed for the safe dis- 
tribution of software in an untrusted environment. The approach can be adapted 
to software certification in avionics and other industries. A significant gap be- 
tween research and industrial practice is the lack of qualified tools. 1 . 

It is necessary to distinguish two sets of tools. Besides the trust base, there 
are often other tools involved in a semantic-based software certification/re- 
verification process. Naturally, the tools in the trust base should be more strictly 
scrutinized because their failure can allow errors to propagate to final products. 
It is expected that tools in the trust base will incur higher cost during qualifi- 
cation because of their higher criticality. 

This suggests the need for architectural principles for designing tools to 
achieve desired trust goals. Choosing an optimal partitioning of components 
into trusted and untrusted sets becomes an important decision. Considering the 
high cost of qualification, the functionality needs to be decomposed in a way 
such that the combined cost of qualifying the tools is minimal. 

Thus, the problem of selecting tools to qualify is a choice among approaches 
that have the required expressive power and trust attributes, and also allow a de- 
composition of the functionality that incurs acceptable qualification cost. Of par- 
ticular interest in this paper is the case of abstraction-carrying code[14], which 
certifies temporal properties. Its trust base contains a model checker, which is 
an additional component beyond those of most other certification methods. 

2 Abstraction-Carrying Code 

In a sense, the concept of semantic-based program certification can be under- 
stood as decomposed program verification. Consider a vacuous program certifi- 
cation technique, where the certificate contains nothing. In this case, the regu- 
latory authority (represented by and referred to hereafter as a DER, Designated 
Engineering Representative) has to verify the program on her own. If hints, for 
example, a loop invariant, are provided by the vendor, the DER is relieved of 
discovering this fact. But she needs to reverify that the loop invariant is indeed 
a loop invariant. On the trust base side, a data-flow analyzer that she may trust 
is now replaced by a simpler data-flow fact verifier. Because simpler programs 
are less expensive to qualify, and because we have assumed that a tool in the 
trust base requires a stricter, more expensive qualification process, the setting 
in which the vendor provides such a hint is beneficial in terms of tool qualifica- 
tion cost. As a principle, we should exploit this trade-off between the amount 
of information (size of certificate) provided by the vendor and the complexity of 
the trust base. 

Traditionally, semantic-based program certification is proof-based. In theory, 
this scheme works for any properties that can be formalized in the underlying 

1 Other issues include, and are not limited to, recognition, training, and expressive 
power/tool support. 
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logic. And in practice, proofs can be generated for many safety properties even 
if approaches other than theorem proving are used. However, sometimes for 
general temporal properties, generating a proof may not be feasible. A different 
paradigm based on abstraction-carrying code is proposed. Table 2 lists several 
different, real or imaginary certification settings with their expressive power and 
associated trust base. 


Certification Method 

Properties 

Trust Base 

Null Certificate 

provable properties 

every tool needed for proving 

Touchstone 

type and memory safety 

VCGen and proof checker 

AutoBayes 

domain specific safety 
and memory safety 

VCGen and proof checker 

Any proof 

provable properties 

VCGen and proof checker 

Abstraction-carrying code 

temporal properties 

VCGen, proof checker 
and model checker 


The first row in the table refers to the no-certificate situation. The second 
row roughly corresponds to the setting of the original PCC work by Necula and 
Lee [10], where type safety and memory safety is of concern, where the trust 
base contains a verification condition generator (VCGen) and a proof checker. 
Row 3 represents the application of PCC techniques in the verification of domain- 
specific properties. For example, work by Denney et. al., automatically generates 
programs with proof-carrying code style proofs for domain specific safety prop- 
erties [5]. Row 4 corresponds to the setting where the client uses a proof assistant 
(and probably a lot of human effort) to prove properties of concern. 

Our focus is on Row 5, which corresponds to the abstraction-carrying code 
research by Xia and Hook. The idea is to apply predicate abstraction [6] and 
model checking to a program to verify an LTL property. Predicate abstraction 
may be automated by adopting counter-example driven predicate discovery [2, 4]. 
In this process, a predicate abstraction of the program is generated and passed 
to a DER. A DER will first verify that the abstract model is faithful to the 
program and then verify that the property does hold on the abstract model. 
The faithfulness check can be implemented much the same way as in PCC, that 
is, via a VCGen and a proof checker. 

The proof-carrying code literature has elaborated how the VCGen and proof 
checker may be constructed in a simple manner. For example, a typed assembly 
language approach [8] can adopted for VCGen construction and a higher order 
logic framework [10] is used in proof checking. Our research is focused on how 
to restructure a model checker to achieve similar results. 

3 Qualifiable Model Checkers 

One of the initial design goals of abstraction-carrying code is to reduce the size 
of the certificate because of the need to transport it and check it at run time. In 
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certifying for administrative approval, however, size is not an important factor. 
There are approaches that generate proofs for certain sub-categories of proper- 
ties after predicate abstraction/model checking[9, 7]. But such an approach may 
not be feasible for general LTL formulas. Therefore, the ability of abstraction- 
carrying code to certify temporal properties is still useful. In ACC, the trust base 
includes a model checker, which is absent from PCC. We are going to explore 
the trade-off between certificate size and complexity of the trust base to build a 
more cost-effectively qualifiable model checker. 

The model checker to be used by a DER in abstraction-carrying code is differ- 
ent from a general purpose model checker: it checks an abstract model known as 
a Boolean program (BP) [3] . A typical BP statement tests if a propositional for- 
mula holds given an environment, represented as another propositional formula, 
and changes the state accordingly. Compared to a model checker for a target 
program, for example, the Java Pathfinder [13], the model checker for a Boolean 
program does not need to handle the semantics of the object language. In con- 
trast, more than half of the code in Java Pathfinder implements the semantics 
of a virtual machine. 

Still, this model checker is a fairly complicated program. For example, Moped 
[12], contains 10 K lines of C code, not counting the supporting BDD library. 
To reduce the size of this model checker while still achieving the requirements 
of re- verification, we resort to the tools that already exist in the trust base: the 
VCGen and the proof checker. Specifically, we use a hybrid approach to reuse 
some of the model checking work that would be performed by the vendor during 
the original analysis. This tool can be more complicated because it is not in the 
trust base. We enhance the vendor’s model checker to record every transition 
made by the model checker. That is, for a transition (a BP statement t) that 
moves the system state (represented as a propositional formula) from si to S 2 , we 
note down the triple (si, t, S 2 ). Then the reduced model checker does not have to 
compute S 2 , but just verify that t(si) is S 2 . Further, because the application of t 
to a state can be reduced to the test of satisfiability in propositional logic, we may 
simply keep a record of the piece of evidence that a proposition can be satisfied. 
This way, we can replace the SAT solver, or the BDD package used in the model 
checker with a Boolean evaluator. The DER will run this reduced model checker, 
which, when a satisfiability problem in the Boolean domain is needed, will just 
verify the proof presented by the vendor. In this way, the semantic engine needed 
to analyze the Boolean program is simplified. 

We are at the very early stage of this investigation. We are aware that the 
complexity of the trust base is only one of the many factors involved in tool 
qualification. Still, we expect to build a prototype system that can be plugged 
into our previous implementation of an ACC system called ACCEPT/C and 
evaluate the effective of this reduced model checker. This will allow exploration 
of the primary trade-off: delivering more detailed evidence at certification time 
in exchange for the benefits of reduced-complexity verification tools. 
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